In recent years, authors of malicious software (“malware”) have attempted to proliferate malware by generating thousands or potentially millions of related variants of malicious files. For example, a malware developer may create many unique variants of a malware executable, each based on a common design. Alternatively, the malware program may modify itself each time it propagates to a new computer system, or even every time it runs (so-called “polymorphic malware”).
Unfortunately, many existing anti-malware technologies identify malware by detecting or identifying unique digital signatures or fingerprints associated with files determined to be malicious. Applying this approach to a malware program with many unique variants may entail separately identifying each malware variant. In the case of polymorphic malware, identifying one variant of a malware program may not yield a digital signature or fingerprint that can be used to identify another variant. Additionally, once many variants of a single malware program have been identified, additional analysis may be required to determine that the variants are based on a common design. Accordingly, the instant disclosure identifies and addresses a need for additional and improved systems and methods for establishing a reputation for related program files.